From: Dan Mick <dmick@redhat.com>
Date: Wed, 13 Mar 2024 19:33:50 +0000 (-0700)
Subject: checkcerts.py: certificate errors were not noted
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=9f71b4b296298f2a8832dffc6257c4d0df327ee7;p=ceph-cm-ansible.git

checkcerts.py: certificate errors were not noted

When a certificate is already expired, its expiry was not noted
(loop exited early).  This stills doesn't explain the lack of early
warning, but at least it'll fix the "no email on actual errors" issue.

Signed-off-by: Dan Mick <dmick@redhat.com>
---

diff --git a/tools/checkcerts.py b/tools/checkcerts.py
index e0d3efc..f195074 100755
--- a/tools/checkcerts.py
+++ b/tools/checkcerts.py
@@ -85,25 +85,29 @@ def main():
 
     warned = False
     for domain in domains:
+        errstr = None
+        certerr = False
         warn = datetime.timedelta(days=DAYS_BEFORE_WARN)
         try:
             with socket.create_connection((domain, 443)) as sock:
                 with context.wrap_socket(sock, server_hostname=domain) as ssock:
                     cert = ssock.getpeercert()
         except (ssl.CertificateError, ssl.SSLError) as e:
-            print(f'{domain} cert error: {e}', file=sys.stderr)
-            continue
-        expire = datetime.datetime.strptime(cert['notAfter'], 
-            '%b %d %H:%M:%S %Y %Z')
-        now = datetime.datetime.utcnow()
-        left = expire - now
-
-        leftstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires'
+            certerr = True
+            errstr = f'{domain} cert error: {e}'
+
+        if not certerr:
+            expire = datetime.datetime.strptime(cert['notAfter'], 
+                '%b %d %H:%M:%S %Y %Z')
+            now = datetime.datetime.utcnow()
+            left = expire - now
+
+            errstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires'
         if not args.quiet:
-            print(leftstr, file=sys.stderr)
-        if left < warn and args.email:
-            subject = f'{domain}\'s SSL Cert is expiring soon.'
-            body = leftstr
+            print(errstr, file=sys.stderr)
+        if (certerr or (left < warn)) and args.email:
+            subject = f'Certificate problem with {domain}'
+            body = errstr
             email = args.email
             if email == []:
                 email = DEFAULT_EMAIL